What problem does this paper attempt to address?

The problem that this paper attempts to solve is to explore the feasibility of Attribute Inference Attacks (AI) in machine - learning models. Specifically, the author studies whether an attacker can use some known records to infer the missing attributes in the training dataset when accessing the machine - learning model through an API. ### Research Background and Problem Description With the popularization of low - cost machine - learning APIs, many companies can make a profit by providing trained machine - learning models as services. However, privacy researchers have found that these models may leak information in the training dataset through Membership Inference Attacks (MI). MI attacks refer to the situation where an attacker infers whether an input belongs to the training dataset by observing the model's response to a specific input. On this basis, this paper focuses on another type of inference attack - Attribute Inference Attacks (AI). In AI attacks, an attacker tries to infer the missing attributes corresponding to some known features of a record in the training dataset by accessing the machine - learning model. ### Main Research Questions 1. **Effectiveness of AI Attacks**: This paper explores whether a classification model that is vulnerable to MI attacks is also vulnerable to AI attacks. 2. **Role of Strong Membership Inference (SMI)**: The author proposes and defines SMI, that is, an attacker can distinguish members in the training dataset from nearby non - members. Research shows that successful AI attacks depend on successful SMI attacks. 3. **Possibility of Approximate Attribute Inference (AAI)**: Although strict AI attacks are difficult to succeed, in some cases, an attacker can infer values close to the real attributes. ### Research Conclusions - **Relationship between MI and AI**: Experimental results show that even if a model is vulnerable to MI attacks, it is not necessarily vulnerable to AI attacks. This is because MI attacks cannot distinguish members from nearby non - members, that is, they cannot achieve Strong Membership Inference (SMI). - **Possibility of AAI Success**: Although strict AI attacks are difficult to succeed, Approximate Attribute Inference (AAI) is feasible in some cases, especially when the model is over - fitted. ### Formula Representation Some key concepts and formulas involved in the paper are as follows: - **Distance Metric**: Used to measure the distance between two vectors in the feature space, such as Hamming distance \(d_H\) and Manhattan distance \(d_M\). \[ d_H(x, x')=\sum_{i = 1}^{m}\mathbb{1}(x_i\neq x'_i) \] \[ d_M(x, x')=\sum_{i = 1}^{m}|x_i - x'_i| \] - **Membership Inference Advantage**: \[ \text{Adv}_{\text{MI}}(A, h, n, D)=\Pr[b' = 1|b = 1]-\Pr[b' = 1|b = 0] \] - **Strong Membership Inference Advantage**: \[ \text{Adv}_{\text{SMI}}(A, h, r, n, D)=\Pr[b' = 1|b = 1]-\Pr[b' = 1|b = 0] \] - **Attribute Inference Advantage**: \[ \text{Adv}_{\text{AI}}(A, h_X, m', n, D)=\Pr[\text{Exp}_{\text{AI}}(A, h_X, m', n, D)=1|b = 1]